<html><head><meta http-equiv="Content-Type" content="text/html; charset=us-ascii"></head><body style="word-wrap: break-word; -webkit-nbsp-mode: space; line-break: after-white-space;" class=""><meta http-equiv="Content-Type" content="text/html; charset=us-ascii" class=""><div style="word-wrap: break-word; -webkit-nbsp-mode: space; line-break: after-white-space;" class=""><div class="">Hi,</div><div class=""><br class=""></div><div class="">Here's a new release with some security fixes and quite a lot of other changes as well.</div><div class=""><br class=""></div><a href="https://dovecot.org/releases/2.3/dovecot-2.3.15.tar.gz" class="">https://dovecot.org/releases/2.3/dovecot-2.3.15.tar.gz</a><br class=""><a href="https://dovecot.org/releases/2.3/dovecot-2.3.15.tar.gz.sig" class="">https://dovecot.org/releases/2.3/dovecot-2.3.15.tar.gz.sig</a><br class=""><br class=""><div class="">Binary packages in <a href="https://repo.dovecot.org/" class="">https://repo.dovecot.org/</a><br class="">Docker images in <a href="https://hub.docker.com/r/dovecot/dovecot" class="">https://hub.docker.com/r/dovecot/dovecot</a></div><div class=""><br class=""></div><div class=""><div class=""> * CVE-2021-29157: Dovecot does not correctly escape kid and azp fields in</div><div class=""> JWT tokens. This may be used to supply attacker controlled keys to</div><div class=""> validate tokens, if attacker has local access.</div><div class=""> * CVE-2021-33515: On-path attacker could have injected plaintext commands</div><div class=""> before STARTTLS negotiation that would be executed after STARTTLS</div><div class=""> finished with the client.</div><div class=""> * Disconnection log messages are now more standardized across services.</div><div class=""> They also always now start with "Disconnected" prefix.</div><div class=""> * Dovecot now depends on libsystemd for systemd integration.</div><div class=""> * Removed support for Lua 5.2. Use version 5.1 or 5.3 instead.</div><div class=""> * config: Some settings are now marked as "hidden". It's discouraged to</div><div class=""> change these settings. They will no longer be visible in doveconf</div><div class=""> output, except if they have been changed or if doveconf -s parameter</div><div class=""> is used. See <a href="https://doc.dovecot.org/settings/advanced/" class="">https://doc.dovecot.org/settings/advanced/</a> for details.</div><div class=""> * imap-compress: Compression level is now algorithm specific.</div><div class=""> See <a href="https://doc.dovecot.org/settings/plugin/compress-plugin/" class="">https://doc.dovecot.org/settings/plugin/compress-plugin/</a></div><div class=""> * indexer-worker: Convert "Indexed" info logs to an event named</div><div class=""> "indexer_worker_indexing_finished". See</div><div class=""> <a href="https://doc.dovecot.org/admin_manual/list_of_events/#indexer-worker-indexing-finished" class="">https://doc.dovecot.org/admin_manual/list_of_events/#indexer-worker-indexing-finished</a></div><div class=""> + Add TSLv1.3 support to min_protocols.</div><div class=""> + Allow configuring ssl_cipher_suites. (for TLSv1.3+)</div><div class=""> + acl: Add acl_ignore_namespace setting which allows to entirely ignore</div><div class=""> ACLs for the listed namespaces.</div><div class=""> + imap: Support official RFC8970 preview/snippet syntax. Old methods of</div><div class=""> retrieving preview information via IMAP commands ("SNIPPET and PREVIEW</div><div class=""> with explicit algorithm selection") have been deprecated.</div><div class=""> + imapc: Support INDEXPVT for imapc storage to enable private</div><div class=""> message flags for cluster wide shared mailboxes.</div><div class=""> + lib-storage: Add new events: mail_opened, mail_expunge_requested,</div><div class=""> mail_expunged, mail_cache_lookup_finished. See</div><div class=""> <a href="https://doc.dovecot.org/admin_manual/list_of_events/#mail" class="">https://doc.dovecot.org/admin_manual/list_of_events/#mail</a></div><div class=""> + zlib, imap-compression, fs-compress: Support compression levels that</div><div class=""> the algorithm supports. Before, we would allow hardcoded value between</div><div class=""> 1 to 9 and would default to 6. Now we allow using per-algorithm value</div><div class=""> range and default to whatever default the algorithm specifies.</div><div class=""> - *-login: Commands pipelined together with and just after the authenticate</div><div class=""> command cause these commands to be executed twice. This applies to all</div><div class=""> protocols that involve user login, which currently comprises of imap,</div><div class=""> pop3, submisision and managesieve.</div><div class=""> - *-login: Processes are supposed to disconnect the oldest non-logged in</div><div class=""> connection when process_limit was reached. This didn't actually happen</div><div class=""> with the default "high-security mode" (with service_count=1) where each</div><div class=""> connection is handled by a separate process.</div><div class=""> - *-login: When login process reaches client/process limits, oldest</div><div class=""> client connections are disconnected. If one of these was still doing</div><div class=""> anvil lookup, this caused a crash. This could happen only if the login</div><div class=""> process limits were very low or if the server was overloaded.</div><div class=""> - Fixed building with link time optimizations (-flto).</div><div class=""> - auth: Userdb iteration with passwd driver does not always return all</div><div class=""> users with some nss drivers.</div><div class=""> - dsync: Shared INBOX not synced when "mail_shared_explicit_inbox" was</div><div class=""> disabled. If a user has a shared mailbox which is another user's INBOX,</div><div class=""> dsync didn't include the mailbox in syncing unless explicit naming is</div><div class=""> enabled with "mail_shared_explicit_inbox" set to "yes".</div><div class=""> - dsync: Shared namespaces were not synced with "-n" flag.</div><div class=""> - dsync: Syncing shared INBOX failed if mail_attribute_dict was not set.</div><div class=""> If a user has a shared mailbox that is another user's INBOX, dsync</div><div class=""> failed to export the mailbox if mail attributes are disabled.</div><div class=""> - fts-solr, fts-tika: Using both Solr FTS and Tika may have caused HTTP</div><div class=""> requests to assert-crash: Panic: file http-client-request.c: line 1232</div><div class=""> (http_client_request_send_more): assertion failed: (req->payload_input != NULL)</div><div class=""> - fts-tika: 5xx errors returned by Tika server as indexing failures.</div><div class=""> However, Tika can return 5xx for some attachments every time.</div><div class=""> So the 5xx error should be retried once, but treated as success if it</div><div class=""> happens on the retry as well. v2.3 regression.</div><div class=""> - fts-tika: v2.3.11 regression: Indexing messages with fts-tika may have</div><div class=""> resulted in Panic: file message-parser.c: line 802 (message_parser_deinit_from_parts):</div><div class=""> assertion failed: (ctx->nested_parts_count == 0 || i_stream_have_bytes_left(ctx->input))</div><div class=""> - imap: SETMETADATA could not be used to unset metadata values.</div><div class=""> Instead NIL was handled as a "NIL" string. v2.3.14 regression.</div><div class=""> - imap: IMAP BINARY FETCH crashes at least on empty base64 body:</div><div class=""> Panic: file index-mail-binary.c: line 358 (blocks_count_lines):</div><div class=""> assertion failed: (block_count == 0 || block_idx+1 == block_count)</div><div class=""> - imap: If IMAP client using the NOTIFY command was disconnected while</div><div class=""> sending FETCH notifications to the client, imap could crash with</div><div class=""> Panic: Trying to close mailbox INBOX with open transactions.</div><div class=""> - imap: Using IMAP COMPRESS extension can cause IMAP connection to hang</div><div class=""> when IMAP commands are >8 kB long.</div><div class=""> - imapc: If remote server sent BYE but didn't immediately disconnect, it</div><div class=""> could cause infinite busy-loop.</div><div class=""> - lib-index: Corrupted cache record size in dovecot.index.cache file</div><div class=""> could have caused a crash (segfault) when accessing it.</div><div class=""> - lib-oauth2: JWT token time validation now works correctly with</div><div class=""> 32-bit systems.</div><div class=""> - lib-ssl-iostream: Checking hostnames against an SSL certificate was</div><div class=""> case-sensitive.</div><div class=""> - lib-storage: Corrupted mime.parts in dovecot.index.cache may have</div><div class=""> resulted in Panic: file imap-bodystructure.c: line 206 (part_write_body):</div><div class=""> assertion failed: (text == ((part->flags & MESSAGE_PART_FLAG_TEXT) != 0))</div><div class=""> - lib-storage: Index rebuilding (e.g. via doveadm force-resync) didn't</div><div class=""> preserve the "hdr-pop3-uidl" header. Because of this, the next pop3</div><div class=""> session could have accessed all of the emails' metadata to read their</div><div class=""> POP3 UIDL (opening dbox files).</div><div class=""> - listescape: When using the listescape plugin and a shared namespace</div><div class=""> the plugin didn't work properly anymore resulting in errors like:</div><div class=""> "Invalid mailbox name: Name must not have '/' character."</div><div class=""> - lmtp: Connection crashes if connection gets disconnected due to</div><div class=""> multiple bad commands and the last bad command is BDAT.</div><div class=""> - lmtp: The Dovecot-specific LMTP parameter XRCPTFORWARD was blindly</div><div class=""> forwarded by LMTP proxy without checking that the backend has support.</div><div class=""> This caused a command parameter error from the backend if it was</div><div class=""> running an older Dovecot release. This could only occur in more complex</div><div class=""> setups where the message was proxied twice; when the proxy generated</div><div class=""> the XRCPTFORWARD parameter itself the problem did not occur, so this</div><div class=""> only happened when it was forwarded.</div><div class=""> - lmtp: The LMTP proxy crashes with a panic when the remote server</div><div class=""> replies with an error while the mail is still being forwarded through</div><div class=""> a DATA/BDAT command.</div><div class=""> - lmtp: Username may have been missing from lmtp log line prefixes when</div><div class=""> it was performing autoexpunging.</div><div class=""> - master: Dovecot would incorrectly fail with haproxy 2.0.14 service</div><div class=""> checks.</div><div class=""> - master: Systemd service: Dovecot announces readiness for accepting</div><div class=""> connections earlier than it should. The following environment variables</div><div class=""> are now imported automatically and can be omitted from</div><div class=""> import_environment setting: NOTIFY_SOCKET LISTEN_FDS LISTEN_PID.</div><div class=""> - master: service { process_min_avail } was launching processes too</div><div class=""> slowly when master was forking a lot of processes.</div><div class=""> - util: Make the health-check.sh example script POSIX shell compatible.</div></div><div class=""><br class=""></div></div></body></html>